It was nearly 7 years ago since we have seen a PS3 Official Firmware Exploited (3.55 being the last), which predates many PS3 models and thus why those later Slim & SuperSlim models could never install Custom Firmware (CFW) and/or Downgrade. However that could all change as a team of three have been developing a new project (4.81 OFW Exploit) called PS3Xploit. The "Unhackable PS3 models" will be a term of the past, but the exploits not quite there yet but the possibility of a HENkaku (vita) style hack is very plausible. Currently the exploit has allowed for access to enable Flash dumps on all consoles, Then Write access to Flash, unhackables (25xx +) will not be able to write but all previous PS3 will so that means Goodbye Hardware Flashers and Hello Software Downgradrs. The team is consisting of psx-place's very own@bguerville, @esc0rtd3wand W form the team behind PS3Xploit.​

The theory behind the project started off when bguerville was looking through some of the webkit source code (for unrelated research) and stumbled on a discovery and a discussion here on the psx-place forums was formed with theories on how the PS3 could be attacked with his findings. As time passed the team formed and an idea became a full-fledged project in development, A request came to temporary remove the said discussion as the idea spawned a project with alot of potential. Sadly this is not ready for release quite yet (but soon), while we know it is working there is additional development needed to make this complete. The team has a goal of 2018 (first Q1) target for the release of the exploit.
​

Recently team member esc0rtd3w announced the tentative release date on another forum and it seemed some were so grateful they decided to intrude and breach his MEGA account and leak what they thought was the exploit / key component but was only a small puzzle piece of the entire thing and quite useless itself . While the good news it did not harm the project or discourage the development team behind Ps3Xploit. However esc0rtd3w did lose some personal files and also the community lost the huge collection of NoPSN Apps for the PS3. But don't cancel those subscription service's just yet, as esc0rtd3w is in the process of re-uploading the collection, you can follow the progress here .​

Also, I have been personally told by the team that some of the details being reported elsewhere are not 100% accurate, but rest assured we have first-hand information about this upcoming exploit and we will set the record straight and keep you flowing with the facts as they become available. bguerville has provided us with some details about this release and also tells us about what they plan to release first and that is coming in the next 24 hours in the form of a IDPS Dumper for 4.81 (All PS3 Models).(UPDATE >> Released)
​

I started investigating the ps3 webkit about 6/7 months, but at the time, it was only to gather information, I had no idea I would eventually be the one working on it!

End of August, I gave the information I had to esc0rtd3w & expected he would work on it alone. However, he knew nothing about webkit exploitation & he started to collaborate with W. By hijacking webkit, we inherit its privileges which means we are root & we get access to lv2 syscalls. However the ps3 OS is protected by NX (No eXecute is the bsd/linux equivalent of DEP on Windows), no address randomisation though. Executing our own payload is made impossible by NX but we can still execute code despite NX using ROP (Return Oriented Programming).
The principle is simple, select snippets from the system code (snippets like these are called gadgets) & assemble them so execution jumps from one gadget to the next until the task we planned is done. It requires providing values/parameters & offsetting to each gadget instruction as well...
First week of September, I joined their effort & 2 weeks later we had ROP execution.
From that moment, I have been doing all the ROP development work alone while the other 2 helped with testing & researching (and debugging for esc0rtd3w).
Right now I have 2 ROP chains ready, one for idps dumping & the other for flash memory dumping.

The next part of the job is to modify the flash dumper into a flash writer.
When that is done & released, ps3 hardware flashers will have become mostly obsolete.

FYI, the idps dumper should work on any nor/nand model of ps3. Same goes for the flash memory dumper.

It was tested ok on superslim.

Once the ROP work above is finished , there is much more to be done & hopefully more releases to come...

Stay tuned.....

The Current Status ​

For now the main project we are working on will not jailbreak all consoles.​

It will enable flash dumps from all consoles but flash write only to all consoles up to 25xx so consoles that are are not cfw compatible will not really benefit just yet, except for dumping flash & idps but not for JB.​

​

For those with cfw compatible consoles on ofw, once flash is overwritten with a db ofw copy, a user can reboot then install the cfw of their choice. Hardware flashers being then obsolete.. You could also overwrite the flash memory in more recent consoles but that would result in a brick due to metldr2. ​

It's only after that flash management project is done, in hopefully March that we will begin working on exploiting lv2. If we get the results we wish, we should be able to make a TaiHEN type of hack for all consoles including superslims.​

​

Once lv2 is exploited, I am not sure yet how far I will take it, whether I will also try to take on lv1.. Or leave it for someone else to build on by releasing a fully commented & dev friendly version... We will see how things go, ......​

​

However, even without lv1, direct access to lv2 functions using the right parameters would allow us to run homebrews (except those needing lv1 peek/poke) & backups without problems along with many other things.​

I figured i would add this (tab) to add some news and thread related to this project, that has arisen after this article.​

Stay tuned to psx-place.com as this story develops, we have the inside scoop on all the details as they flow. This is a huge breakthrough for the PS3 Community and will only progress from here on out!!!

Well, well! You (probably) already heard about the several PlayStation Developer Wikis like for the PS3 and the PS4, but also for the handheld consoles like PSP and PSVITA, with it's strong communities and useful information for each wiki. But while the actual Console Generations were already satisfied with their own wikis, there was something missing. If you wanted to get some informations about older Sony Consoles, then we had to be honest - your informations kept very short. But since we speak about the "past tense form" from "has", the lack of useful information could change with your help. Thanks to the well-known user @GregoryRasputin, you can now contribute to a PS1 and PS2 DevWiki! Yeah, that's right. Sony's both first released home consoles are getting it's own dedicated wikis and everyone is welcome to contribute.​

While we have seen PS2 developer like@sp193 busy with several new updates to Free Memory Card Boot (FMCB) exploit recently, the dev along with other PS2 devs like Maximus32 have been putting in some work and making some "HUGE Advancements" to OPLas@TnA details. Open PS2 Loader or better known as simplyOPL is moving along nicely with the times and making great strides still in 2018, from here i will leave it to TnA who has summed up the various progressions of this very popular PS2 Project​

The PS2 Community is still going strong and developer@sp193 continues to make improvements across the board on the PS2, with some of the dev's latest work coming with a series of new updates toFree Memory Card Boot (FMCB), Since June of this year the dev has provided the progress and reports as seen in the thread (in the psx-place forums) and kept us informed. There has been alot of new changes since June and each of those changes can be seen in the "Recent Developments" along with some other details about the project be sure to view all links the dev has provided for additional details about this project if your a new comer to FMCB or the PS2.​

Comments

For info the idps dumper will create a file on usb000 then beep 3 times & shutdown in all cases, even if flash memory read fails. emmc should not make a difference to this. You will get garbage in idps.bin in that case.
Js error with a black page message on ps3 should not happen. If ever it did, just report & in the meantime keep relaunching the exploit. Nobody has had this issue in dozens of tests though.

And clearing cache or cookies is totally unnecessary with the exploit & the wk js interpreter. Between runs garbage collection will take care of cleaning up what is needed, the job it does is always sufficient.

For info the idps dumper will create a file on usb000 then beep 3 times & shutdown in all cases, even if flash memory read fails. emmc should not make a difference to this. You will get garbage in idps.bin in that case.
Js error with a black page message on ps3 should not happen. If ever it did, just report & in the meantime keep relaunching the exploit. Nobody has had this issue in dozens of tests though.

And clearing cache or cookies is totally unnecessary with the exploit & the wk js interpreter. Between runs garbage collection will take care of cleaning up what is needed, the job it does is always sufficient.

Click to expand...

True it dumped garbage idps for me @bguerville please answer when do you think you guys will release emmc idps dumper?

Great release!
Big thanks to everyone involved and let's enjoy this.
I would like to make a simple suggestion which could be pointless but worth saying.

Since the 3000 and 4000 series will most likely require more work and even when hacked it's quite possible that their CFW(whatever form of it) would have to be a bit different than those with lowest minver I would suggest splitting the work.

There already are stable and tested CFW for all the phats and 250x so why not simply enable QA Toggle on these consoles and then downgrade to 3.55 and then straight up to CFW?
Don't know if this idea would work but I strongly believe that it must be less work and furthermore less dangerous than nand flashing through an exploit.

@bguerville , @esc0rtd3w please answer me i know i asked too many times but beilive me its hard to see every model getting their idps exept for me because i have emmc please answer i also asked on psxhax : how much will it take for idps dumper to work on emmc will it take a couple of days or months ? Please i need the answer and many other emmc owners Need it as well

@bguerville , @esc0rtd3w please answer me i know i asked too many times but beilive me its hard to see every model getting their idps exept for me because i have emmc please answer i also asked on psxhax : how much will it take for idps dumper to work on emmc will it take a couple of days or months ? Please i need the answer and many other emmc owners Need it as well

@bguerville , @esc0rtd3w please answer me i know i asked too many times but beilive me its hard to see every model getting their idps exept for me because i have emmc please answer i also asked on psxhax : how much will it take for idps dumper to work on emmc will it take a couple of days or months ? Please i need the answer and many other emmc owners Need it as well

Click to expand...

It shows in the screenshot that it will be added... these guys are working hard already, no need to push them harder. You could also try a regular hdd, if that is the problem. easy to find

@esc0rtd3w When you achieved idps dumping on the 12 gb 4*** models, could you then also add support for firmware 4.66? As I heard 4.70 fixed injection methods and we then already would have a bit to play around with and you could take your time to make the exploit without being asked for it every 5 minutes somewhere.

@esc0rtd3w , i noticed that somewhere else you posted that the problem with the corrupted IDPS was the sys_open_storage or something like that for the emmc models.
So the IDPS is extracted correct but the binary file is not written properly?
If yes, then why not simply print the bytes by setting the innerhtml in the page itself?
After that let the user manually type the bytes in a hex editor and save it binary and test the new file using extraction with TABR or p3xploit.

Exploit does not work for me. Used a Python3 server.py that someone gave me and it tells me this : 192.168.0.** - - [11/Nov/2017 15:37:08] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x007\x01\x00\x003\x03\x01Z\x07')

Exploit does not work for me. Used a Python3 server.py that someone gave me and it tells me this : 192.168.0.** - - [11/Nov/2017 15:37:08] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x007\x01\x00\x003\x03\x01Z\x07')

Click to expand...

just host it with xampp as an alternative. it'll work also using that. it'll also be faster

Okay, thanks. Do you have any tutorials in hand for hosting files ? I always had problems making files hostable.

Click to expand...

create a folder (name it anything you want), place the hosted files in it, then drop that folder into htdocs on the root of the xampp folder (where xampp was installed). you're now self-hosting. to access the content type in the ip address of your computer followed by /(name of folder you created). you would do this on the ps3. make sure xampp is active before doing so.

I haven't looked into how this (the idps dumper) works, but that's how you self-host with xampp.

create a folder (name it anything you want), place the hosted files in it, then drop that folder into htdocs on the root of the xampp folder (where xampp was installed). you're now self-hosting. to access the content type in the ip address of your computer followed by /(name of folder you created). you would do this on the ps3. make sure xampp is active before doing so.

I haven't looked into how this (the idps dumper) works, but that's how you self-host with xampp.

Click to expand...

it works the same way as a software flasher, but it only reads a specific region of flash using storage_open and storage_read.

create a folder (name it anything you want), place the hosted files in it, then drop that folder into htdocs on the root of the xampp folder (where xampp was installed). you're now self-hosting. to access the content type in the ip address of your computer followed by /(name of folder you created). you would do this on the ps3. make sure xampp is active before doing so.

I haven't looked into how this (the idps dumper) works, but that's how you self-host with xampp.